Computer security vulnerability assessment

ABSTRACT

Computer security vulnerability assessment is performed with product binary data and product vulnerability data that correspond with product identification data. A correspondence between the product binary data and the product vulnerability data is determined, and a binaries-to-vulnerabilities database is generated. The binaries-to-vulnerabilities database is used to scan binary data from a target device to find matches with the product binary data. A known security vulnerability of the target device is determined based on the scanning and the correspondence between the product binary data and the vulnerability data. In some embodiments, the target device is powered off and used as an external storage device to receive the binary data therefrom.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/664,670 filed Jul. 31, 2017, which is a continuation of U.S. patentapplication Ser. No. 15/275,123 filed Sep. 23, 2016; both of which areincorporated herein by reference in their entirety.

BACKGROUND OF THE INVENTION

Vulnerability assessment and malware detection are two fields orindustries that deal with issues of computer security. A positivemalware detection generally requires an immediate response to eliminatea threat to the computer device of a potentially imminent maliciousevent. Typically, the response is to quarantine, remove, or replace thesoftware file of the malware. With a positive vulnerability assessment,on the other hand, the computer device can usually continue to operatewithout concern for a threat to the computer device, since a maliciousevent is not necessarily imminent. However, if the computer device isgoing to be used in an environment that has a particular securitystandard, then there is considerable concern over whether the computerdevice meets that security standard or would present a security problemfor the environment. For example, if the computer device is to be usedin a medical facility with a secure network through which the computerdevice will have access to confidential patient records, then it is veryimportant to determine whether the computer device is hosting orexecuting any binary files that are known to be easy targets for hackersto gain access to the computer device and from there to any othercomputer or data storage device accessible through the secure network.Therefore, before the computer device can be granted access to thesecure network, the vulnerability to malicious events of the computerdevice must be assessed, and any known vulnerabilities must be remediedor eliminated. The assessment must be thorough, robust, secure, quickand efficient, in order to prevent security problems, while allowingbusiness operations to proceed with minimal interruption.

SUMMARY OF THE INVENTION

In some embodiments, a more thorough, more robust, more flexible andmore secure computer security vulnerability assessment is achieved witha method in which a computerized system receives product binary data andfirst product identification data that correspond to each other. Thecomputerized system receives product vulnerability data and secondproduct identification data that correspond to each other. Thecomputerized system determines a correspondence between the productbinary data and the product vulnerability data based on matching thefirst product identification data with the second product identificationdata. The computerized system generates a binaries-to-vulnerabilitiesdatabase based on the determined correspondence between the productbinary data and the product vulnerability data. Additionally, thebinaries-to-vulnerabilities database can be used with a scan of targetbinary data from a target device to determine a known securityvulnerability of the target device.

In some embodiments, a more thorough, more robust, more flexible andmore secure computer security vulnerability assessment is achieved witha method in which a computerized system receives abinaries-to-vulnerabilities database that provides a correspondencebetween binary data and vulnerability data. The computerized systemestablishes a communication connection to a target device. Thecomputerized system receives binary files from the target device. Thecomputerized system uses the binaries-to-vulnerabilities database toscan the binary files to find matches between the binary files and thebinary data. The computerized system determines a known securityvulnerability of the target device based on 1) results of the scanningand 2) the correspondence between the binary data and the vulnerabilitydata.

In some embodiments, a more thorough, more robust, more flexible andmore secure computer security vulnerability assessment is achieved witha method in which a computerized system receives product binary data andfirst product identification data that correspond to each other. Thecomputerized system receives product vulnerability data and secondproduct identification data that correspond to each other. Thecomputerized system determines a correspondence between the productbinary data and the product vulnerability data based on matching thefirst product identification data with the second product identificationdata. The computerized system establishes a communication connection toa target device. The computerized system receives target binary filesfrom the target device. The computerized system uses the product binarydata to scan the target binary files to find matches between the targetbinary files and the product binary data. The computerized systemdetermines a known security vulnerability of the target device basedon 1) results of the scanning and 2) the correspondence between theproduct binary data and the product vulnerability data.

In some embodiments, the computerized system 1) grants access by thetarget device to a secure environment based on determining that thetarget device has no known security vulnerability; and 2) denies accessby the target device to the secure environment based on determining thatthe target device has the known security vulnerability. In someembodiments, the product vulnerability data describes a vulnerability toa malicious event of a computer device that contains a software productcorresponding to the product binary data, regardless of whether thesoftware product is infected with malicious code. In some embodiments,the product binary data contains strings of bits, bytes, words orcharacters extracted from files of software products. In someembodiments, the product binary data contains hashes of strings of bits,bytes, words or characters extracted from files of software products. Insome embodiments, the computerized system collects the product binarydata and the first product identification data from a plurality ofclient devices; and each client device collects the product binary dataand the first product identification data related to software productsthat are on that client device and maps the product binary data to thecorresponding first product identification data for each of the softwareproducts. In some embodiments, the target device is a computer that hasbeen turned off; and the computerized system loads the target device asan external storage device. In some embodiments, the computerized systemgenerates a report containing at least a listing of 1) designations ofthe binary data that was found to match the binary files, and 2)designations of the vulnerability data that correspond to the binarydata that was found to match the binary files. In some embodiments, thecomputerized system receives an indication of one of a first, second orthird level of vulnerability assessment to be performed on the targetdevice; wherein: in the first level of vulnerability assessment, thetarget binary files are executable binary files; in the second level ofvulnerability assessment, the target binary files are the executablebinary files and library files used by the executable binary files; andin the third level of vulnerability assessment, the target binary filesare all binary files stored on the target device.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified schematic diagram of an example computer securityvulnerability assessment system, in accordance with some embodiments.

FIGS. 2-5 are simplified database structures for use by, or generatedby, the example computer security vulnerability assessment system shownin FIG. 1, in accordance with some embodiments.

FIG. 6 is a simplified report generated by the example computer securityvulnerability assessment system shown in FIG. 1, in accordance with someembodiments.

FIGS. 7-10 are simplified flowcharts of processes performed bycomponents of the example computer security vulnerability assessmentsystem shown in FIG. 1, in accordance with some embodiments.

FIG. 11 is a simplified schematic diagram of a vulnerability databasesystem for use in the example computer security vulnerability assessmentsystem shown in FIG. 1, in accordance with some embodiments.

FIG. 12 is a simplified schematic diagram of a validation server for usein the example computer security vulnerability assessment system shownin FIG. 1, in accordance with some embodiments.

DETAILED DESCRIPTION OF THE INVENTION

Reference now will be made in detail to embodiments of the disclosedinvention, one or more examples of which are illustrated in theaccompanying drawings. Each example is provided by way of explanation ofthe present technology, not as a limitation of the present technology.In fact, it will be apparent to those skilled in the art thatmodifications and variations can be made in the present technologywithout departing from the spirit and scope thereof. For instance,features illustrated or described as part of one embodiment may be usedwith another embodiment to yield a still further embodiment. Thus, it isintended that the present subject matter covers all such modificationsand variations within the scope of the appended claims and theirequivalents.

FIG. 1 shows an example computer security vulnerability assessmentsystem 100 that provides a more thorough, robust, flexible and securecomputer security vulnerability assessment, in accordance with someembodiments. The illustrated embodiment with the components shown isprovided for explanatory purposes only, and other embodiments could useother specific components or combinations of components. In theillustrated embodiment, the computer security vulnerability assessmentsystem 100 generally includes a vulnerability database system 101 and avalidation server 102. The validation server 102 generally uses datagenerated by the vulnerability database system 101 to assess a securityvulnerability of a target device 103, e.g., as a means for network ordomain access control for determining whether to grant access by thetarget device 103 to a secure environment 104, for determining whetherto transfer the target device 103 from a lower security domain orenvironment to a higher security domain, for a security compliance checkprocedure, for performing a data security transfer, or for determining acomputer device's “health.” To do so, the vulnerability database system101 generally associates binary data (related to software products, orspecific versions of the software products, i.e. “product binary data”)with known security vulnerabilities (of the same software products, orspecific versions thereof, i.e. “product vulnerability data”). Thevalidation server 102 then scans (i.e., reads and searches through)binary data from the target device 103 (i.e. “target binary data”) todetermine whether any of the target binary data matches the productbinary data, thereby establishing a link to the product vulnerabilitydata. Known security vulnerabilities of the target device 103 are thusdetermined by this scan of binary data. Based on this securityvulnerability determination, the computer security vulnerabilityassessment system 100, or an administrator thereof, can furtherdetermine whether to grant access by the target device 103 to the secureenvironment 104.

The binary data (for the product binary data or the target binary data)generally contains 1) binary hashes of binary level files of thesoftware products, 2) binary hashes of strings of bits, bytes, words orcharacters extracted from the files of the software products, 3) theunprocessed strings of bits, bytes, words or characters that wereextracted, 4) the complete binary level files of the software products,or 5) any other appropriate binary-level representation of the softwareproducts. In various embodiments, therefore, the scanning of the targetbinary data and the matching with the product binary data is done at theindividual bit, byte, word, character, string, etc. level, e.g., as canbe performed with the “find” or “findstr” command available in theWindows™ command prompt or other string, binary, or file matching orcomparing type of function. The scanning and matching searches for amatch between two files or two strings within two files at the low levelof binary data, rather than matching a file name or other higher levelmeta data of two files.

The binary data is distinguished from data that simply identifies thesoftware products or applications, e.g., the name and version of thesoftware products or the file names or meta data of application filesassociated with, or mapped to, the software products. Conventionalsecurity vulnerability assessment systems use such file identificationdata (to determine which software products are on the target device 103and then to assess the security vulnerability of the target device 103in accordance therewith). However, this conventional technique is lessthorough, robust or flexible than the present system, because it couldpotentially miss some known vulnerabilities, since the actual binarylevel data in the files of the software product could be different fromthe official version of the software product. For example, some of thefiles could be corrupted or infected with malware, which would not bedetected by a conventional vulnerability assessment system that simplylooks at file identification data. The computer security vulnerabilityassessment system 100, thus, can be used in place of a conventionalsecurity vulnerability assessment system, or in combination therewith,to enable a more thorough, robust and flexible level of functionalitythat is not available in conventional security vulnerability assessmentsystems.

Additionally, a vulnerability scan or assessment is distinguished from amalware scan or detection procedure. Vulnerability assessment attemptsto determine whether a computer device is vulnerable to a maliciousevent, such as malware infection, hacking, intrusion, data corruption,data theft, spoofing, phishing, etc., regardless of whether the computerdevice is actually compromised by any type of malicious code orsoftware. In a sense, vulnerability is similar to a security defect inthe software that an external third party could take advantage of totake control of or damage the computer device. Thus, a vulnerability mayrender the computer device susceptible to malware. However, avulnerability is not necessarily a problem, since no malicious event mayhave occurred, and the computer device and the software products cancontinue to perform in an acceptable manner. Malware detection, on theother hand, generally attempts to determine whether a computer device orsoftware product has been infected with any known type of malicious codeor software, such as a virus, a trojan, etc., and usually results in arecommendation of whether the software product or malicious code shouldbe removed from, or not be allowed to run on, the computer device. Thus,although a malware scan may look at binary data, the result is adetermination of whether a file or computer device is actually infected,rather than being simply vulnerable to infection, such that there is aclear and present danger that renders the computer device or thesoftware products incapable of performing in an acceptable manner.Additionally, in some situations, it is possible to find malware on acomputer without necessarily finding a security vulnerability. Thecomputer security vulnerability assessment system 100, thus, performs adifferent function than, and takes a distinctly different view ofsecurity issues from, a malware detection system.

The vulnerability database system 101 is generally a computerized system(e.g., one or more computer devices or a central server implemented in acloud-based computing environment) for generating and maintaining alarge binaries-to-vulnerabilities mapping database 105. Thebinaries-to-vulnerabilities mapping database 105 associates binary datawith known security vulnerabilities by establishing links between thebinary data (related to software products, or specific versions of thesoftware products) and the known security vulnerabilities (of the samesoftware products, or specific versions thereof). Thus, formation of thebinaries-to-vulnerabilities mapping database 105 is based on adetermined correspondence between the product binary data and theproduct vulnerability data.

In some embodiments, the vulnerability database system 101 collects orgathers information to generate the binaries-to-vulnerabilities mappingdatabase 105. The collected information is generally in the form of abinaries-to-products mapping database 106 and aproducts-to-vulnerabilities mapping database 107. Thebinaries-to-products mapping database 106 contains links between theproduct binary data and corresponding product version identificationdata (e.g., the binary data may be linked to the product versionidentification data of according to each binary file's absolute filepath, file property information, digital signature, copyright, etc.).The products-to-vulnerabilities mapping database 107 contains linksbetween product vulnerability data (e.g., known securityvulnerabilities) and the corresponding product version identificationdata.

A conventional vulnerability assessment system, for example, typicallyuses data similar to that in the products-to-vulnerabilities mappingdatabase 107. The vulnerability database system 100, however, goesfurther by matching the product version identification data in the twodatabases 106 and 107 to determine links or correspondences between theproduct binary data and the product vulnerability data and to generatethe binaries-to-vulnerabilities mapping database 105 in accordancetherewith.

In some embodiments, the product binary data and the correspondingproduct version identification data for the binaries-to-products mappingdatabase 106 is received from various community client devices 108. Thecommunity client devices 108 are generally any appropriate computerdevices, such as desktop computers, notebook computers, tabletcomputers, smartphones, servers, etc. A community client applicationrunning on the community client devices 108 generally scans the binaryfiles of the software products that have been installed on the communityclient devices 108 and generates the product binary data therefrom. Thevarious community client applications map the product binary data (e.g.,including complete file binary data for a binary hash of the file binarydata) to the corresponding product version identification data (e.g.,including file names, product names, vendor names, product versiondesignators, product category, etc.) and submits this information to thevulnerability database system 101. The community client devices 108,therefore, submit to the vulnerability database system 101 real data forthe product binary data from actual usage of the software products inthe field, rather than relying on the documented versions of thesoftware products. In this manner, the vulnerability database system 101also takes into consideration more than just generally availablesoftware; for example, support is provided for custom or unofficialversions of software (that a vendor may make available to only one or afew special users) and beta software releases. The vulnerabilitydatabase system 101 can cross reference different submissions fromdifferent community client devices 108, process the receivedinformation, and store the information in the binaries-to-productsmapping database 106. Alternatively, the binaries-to-products mappingdatabase 106 could be generated from an existing file informationservice or from copies of the files of the software products. However, abenefit of using the community client devices 108 to produce the productbinary data and the corresponding product version identification data isthe ability to normalize the data and improve the accuracy of binaryownership.

In some embodiments, the product vulnerability data and thecorresponding product version identification data for theproducts-to-vulnerabilities mapping database 107 is received fromvarious products and vulnerabilities information sources 109. There area variety of sources 109 for known product vulnerability and severityinformation, including CVE (Common Vulnerabilities and Exposures), NVD(National Vulnerability Database) and OSVDB (Open Sourced VulnerabilityDatabase). These sources 109 generate vulnerability data that isspecific to a given product and version combination. The vulnerabilitydatabase system 101 periodically downloads this information, processesthis information, and forms the products-to-vulnerabilities mappingdatabase 107 therefrom.

The validation server 102 is generally a computerized system for usingthe binaries-to-vulnerabilities and mapping database 105 to assess thesecurity vulnerability of the target device 103 and thereby validate thetarget device 103 for use in the secure environment 104. The validationserver 102 represents any number of computer devices at any number oflocations, such as at multiple business operation facilities, where itmay be necessary to assess the security vulnerability of other computerdevices (e.g., multiple target devices 103) before validating thosedevices and granting them access to secure network domains. In someembodiments, the validation server 102 downloads an offline copy of thebinaries-to-vulnerabilities mapping database 105 (the offlinevulnerability database 110). Additionally, the validation server 102receives target binary data 111 (from the target device 103) thatgenerally includes binary data 112 (in the same form as that describedabove for the product binary data was), and a file path 113, for each ofthe binary files scanned from the target device 103.

The target device 103 is generally any appropriate computer device thata user may use to access the secure environment 104, such as a desktopcomputer, notebook computer, tablet computer, smartphone, server, etc.In some embodiments, the target device 103 is capable of being loaded asan external storage device by the validation server 102 when the targetdevice 103 is turned off. In this manner, the various files (for thetarget binary data 111) contained in the target device 103 can be safelyread by the validation server 102 in the same manner as reading datafiles from any mass storage device (e.g., a hard drive, optical drive,flash memory device, etc.) while the target device 103 is not operatingand cannot present a vulnerability risk.

Additionally, since the vulnerability scan performed by thevulnerability database system 100 is performed by the validation server102, rather than by the target device 103, no additional software forscanning purposes needs to be installed on the target device 103. Thistechnique is in contrast with conventional security vulnerabilityassessment systems that require the target device to be turned on inorder to run the vulnerability assessment scan. The software that needsto be executed on the target device to perform a conventionalvulnerability scan could potentially affect the security vulnerabilityof the target device. This potential issue is avoided by using thetarget device 103 as an external storage device for the validationserver 102, particularly when the target device 103 is turned off beforebeing loaded as the external storage device, since there is no chancethat the security vulnerability of the target device 103 could beaffected by this scanning technique.

In some situations, security vulnerability can depend on the particularcombination of different software products on the same device.Additionally, sometimes security vulnerability can depend on theparticular combination of software products with hardware products onthe same device. Therefore, in some embodiments, data for combinationsof software components 114 and hardware components 115 in the targetdevice 103 forms at least part of the target binary data 111 (e.g.,software/hardware configuration data 116).

Using the product binary data of the offline vulnerability database 110,the validation server 102 scans through the target binary data 111 tofind matches between the target binary data 111 and the product binarydata. Using any matches (results of the scanning) and the productvulnerability data of the offline vulnerability database of 110, thevalidation server 102 consolidates the information and generates atarget device vulnerability report 117 therefrom. The target devicevulnerability report 117 generally includes the binary data 112, thefile paths 113, and the known vulnerabilities. Alternatively, in someembodiments, generation of the target device vulnerability report 117 isoptional. In some embodiments, this data is returned via an API(application programming interface) or any other form of programmingcommunication methodology.

Given the target device vulnerability report 117, either an accesscontrol application 118 or a system administrator 119 can analyze thesecurity vulnerability level of the target device 103 to determinewhether to grant or deny access by the target device 103 to the secureenvironment 104. In some embodiments, the security vulnerability levelmay be provided as a score value indicating a level of vulnerability ofthe target device 103. For example, the security vulnerability level maybe zero if no known vulnerabilities are found, a low value if only a fewvulnerabilities are found, or a high value if a relatively large numberof vulnerabilities are found. In some embodiments, the target device 103may have no known security vulnerability if no vulnerabilities with arisk level over a particular risk threshold have been discovered. Insome embodiments, the security vulnerability level may be simply apass/fail determination. In some embodiments, to grant access by thetarget device 103, an access control application 120 that manages accessto the secure environment 104 is configured (e.g., by the access controlapplication 118 or the system administrator 119) to allow the targetdevice 103 to connect to any network or computer devices within thesecure environment 104.

FIG. 2 shows an example for a simplified database structure for thebinaries-to-products mapping database 106, and FIG. 3 shows an examplefor a simplified database structure for the products-to-vulnerabilitiesmapping database 107, in accordance with some embodiments. In thisembodiment, the binaries-to-products mapping database 106 includesfields for the name of each individual software product, the versiondesignator for the version of the software product, and thecorresponding binary files containing the product binary data for thesoftware product. Additionally, the products-to-vulnerabilities mappingdatabase 107 includes fields for the name of each individual softwareproduct, the version designator for the version of the software product,and the corresponding vulnerability files containing the productvulnerability data for known vulnerabilities for the software product.

FIG. 4 shows an example for a simplified database structure for anintermediate database 400 that combines the data from thebinaries-to-products mapping database 106 and theproducts-to-vulnerabilities mapping database 107, in accordance withsome embodiments. Using the data from the databases 106 and 107, thevulnerability database system 101 generates the intermediate database400 to include fields for the name of each individual software product(from databases 106 and 107), the version designator for the version ofthe software product (from databases 106 and 107), the binary filescontaining the product binary data for the software product (fromdatabase 106), and the vulnerability files containing the productvulnerability data for known vulnerabilities for the software product(from database 107). The intermediate database 400, therefore, providesa link between the binary files containing the binary data and the knownvulnerabilities. With additional processing of the intermediate database400 by the vulnerability database system 101, the links between theindividual binary files and the corresponding known vulnerabilities aredetermined, and the binaries-to-vulnerabilities mapping database 105 isgenerated therefrom, e.g., as shown in FIG. 5. In other embodiments, thevulnerability database system 101 processes the data from the databases106 and 107 to generate the binaries-to-to-vulnerabilities mappingdatabase 105 without forming the intermediate database 400.

FIG. 5 shows an example for a simplified database structure for thebinaries-to-vulnerabilities mapping database 105, in accordance withsome embodiments. In this embodiment, the binaries-to-vulnerabilitiesmapping database 105 includes fields for the binary files containing theproduct binary data for each the software product and the correspondingvulnerability files containing the product vulnerability data for knownvulnerabilities related to the product binary data in the binary files.Additionally, the simplified database structure for thebinaries-to-vulnerabilities mapping database 105 shown in FIG. 5 is alsoprovided for the offline vulnerability the database 110 downloaded andused by the validation server 102.

FIG. 6 shows an example for a simplified database structure for thetarget device vulnerability report 117, in accordance with someembodiments. In some embodiments, the security vulnerability of thetarget device 103 is provided as a listing of the designation of thebinary data, the binary hash data, and the file path of the binary file(from which the data was extracted or generated) along with adesignation or description of the known vulnerabilities that correspondto be binary data. In the illustrated example, Binary_1 is a designationof a particular instance of binary data in the offline vulnerabilitydatabase 110 that was found to match a particular instance of binarydata in a binary file that was read from the target device 103.Additionally, Hash_1 is a hash of the binary data, or alternatively adesignation of a particular instance of a hash of the binary data.Filepath_1 is the file path for locating the binary file (on the targetdevice 103) that matched the particular instance of binary data in theoffline vulnerability database 110. Vulner_1, Vulner_2, etc. aredesignations or descriptions of the known vulnerabilities that have beenlinked to, or correspond to, the particular instance of binary data. Ata minimum, the report generally includes the designations of the binarydata and the known vulnerabilities. With the addition of the file pathinformation, the system administrator 119 of the validation server 102,the access control application 118, or a user of the target device 103can quickly locate the vulnerable binary files in the target device 103in order to remove them, replace them, or take other actions.

FIG. 7 shows a simplified flow chart of a process 700 performed by thecommunity client application running on the community client devices 108to produce the product binary data and the corresponding product versionidentification data for the binaries-to-products mapping database 106.The particular steps, order of steps, and combination of steps is shownfor explanatory purposes only. Other embodiments may use other steps orcombinations of steps or in a different order to perform the samegeneral function. Additionally, one or more applications or routines canperform the process 700.

Upon starting (at 701), the community client application detects (at702) the applications or software products installed on the communityclient device 108. Thus, the community client application reads andstores the file names and file paths for all of the software productscontained or installed in the community client device 108.Alternatively, the community client application can read thisinformation from a preexisting listing in the community client device108. At 703, the community client application collects the relevantbinary information or data for each of the detected application. Thus,the community client application reads the binary data for the files ofeach detected application and then either generates and stores a hash ofthe binary data or stores the original binary data. In some embodiments,the community client application collects or generates this data with anendpoint assessment software available with such products as the OESISFramework™ by Opswat, Inc., including Metadefender Endpoint Management™,as well as other solutions, Cisco AnyConnect™, F5 BIG-IP™, or similartypes of products. At 704, the community client application maps, linksor correlates the binary data (e.g., the hash or the original data) tothe product and version combination. Thus, the community clientapplication generates and stores information that links the binary data,the software product name, the version of the software product, the filename for the application of the software product, and any otherappropriate information with which to form binary-to-product/versioninformation. At 705, the community client application submits thebinary-to-product/version information to the vulnerability databasesystem 101. Thus, the community client application causes the communityclient device 108 to generate file transfer packets and transmit themthrough a network (e.g., the Internet, a LAN, a WAN, etc.) to thevulnerability database system 101. In some embodiments, the communityclient device 108 submits the information via a REST (representationalstate transfer) API post action to the vulnerability database system101.

FIG. 8 shows a simplified flow chart of a process 800 performed by thevulnerability database system 101 to produce thebinaries-to-vulnerabilities mapping database 105. The particular steps,order of steps, and combination of steps is shown for explanatorypurposes only. Other embodiments may use other steps or combinations ofsteps or in a different order to perform the same general function.Additionally, one or more applications or routines can perform theprocess 800.

Upon starting (at 801), the vulnerability database system 101 receives(at 802) the binary-to-product/version information from the communityclient device 108. Thus, the vulnerability database system 101 receivesthe file transfer packets, parses the data contained therein, andextracts the binary-to-product/version information. At 803, thevulnerability database system 101 stores the binary data with an indexof the product and version combination. Thus, the vulnerability databasesystem 101 reads the information received from the community clientdevice 108 and stores it in the binaries-to-products mapping database106, e.g., as shown in FIG. 2. Concurrent with or independent of 802 and803, the vulnerability database system 101 also periodically downloadsand processes (at 804) the public vulnerability data. Thus, thevulnerability database system 101 receives, parses, processes and storesthe known product vulnerability and severity information from thevariety of sources 109, described above. At 805, the vulnerabilitydatabase system 101 stores the vulnerability data with an index of theproduct and version combination. Thus, the vulnerability database system101 reads the information received from the variety of sources 109 andstores it in the binaries-to-products mapping database 107, e.g., asshown in FIG. 3. At 806, the vulnerability database system 101 processesthe data from the two databases 106 and 107 to generate therelationships between the binary data and the vulnerability data. Thus,the vulnerability database system 101 reads and scans through theproduct and version combination information in the databases 106 and 107to find matching product data with which to generate, compile and storethe data for the intermediate database 400, e.g., as shown in FIG. 4,thereby linking the binary files with the known vulnerabilities. Thevulnerability database system 101 then reads and stores the binary filesand the corresponding known vulnerabilities in thebinaries-to-vulnerabilities mapping database 105, e.g., as shown in FIG.5.

FIG. 9 shows a simplified flow chart of a process 900 performed by thetarget device 103 to connect to the validation server 102. Theparticular steps, order of steps, and combination of steps is shown forexplanatory purposes only. Other embodiments may use other steps orcombinations of steps or in a different order to perform the samegeneral function. Additionally, one or more applications or routines canperform the process 900.

Upon starting (at 901), the target device 103 connects (at 902) to thevalidation server 102 as an external file storage device. Thus, thetarget device 103 configures itself as a storage device when thevalidation server 102 establishes a communication link with it, e.g.,via Firewire™, USB (Universal Serial Bus), WiFi, etc. In someembodiments, the target device 103 does not need to be in an operationalstate as long as the hosted files are accessible by the validationserver 102. In such embodiments, the communication link with thevalidation server 102 may have to be wired, rather than wireless. Insome embodiments, the user of the target device 103 turns off or powersdown the target device 103, so that the target device 103 connects tothe validation server 102 while turned off. Thus, when the validationserver 102 attempts to connect to the target device 103, the targetdevice 103 activates a functionality that allows access to its harddrive or mass storage device while the rest of the target device 103,including the CPU, remains powered down or turned off. The “target diskmode” function of some computer systems available from Apple ComputerCorp. and the FlashMate™ alternative hybrid-drive functionality areexamples of this technique of loading an unpowered target device as anexternal storage device.

FIG. 10 shows a simplified flow chart of a process 1000 performed by thevalidation server 102 to scan the target device 103 and generate thetarget device vulnerability report 117. The particular steps, order ofsteps, and combination of steps is shown for explanatory purposes only.Other embodiments may use other steps or combinations of steps or in adifferent order to perform the same general function. Additionally, oneor more applications or routines can perform the process 1000.

Upon starting (at 1001), the validation server 102 downloads (at 1002)the binaries-to-vulnerabilities mapping database 105 as an offlineupdate package (e.g., the offline vulnerability database 110). Thus, thevalidation server 102 receives and stores the product binary data andthe product vulnerability data. At 1003, the validation server 102 loadsthe target device 103 as an external file storage device. Thus, thevalidation server 102 establishes a communication link with the targetdevice 103, the target device 103 configures itself as a storage device(as described above), and the validation server 102 configures itself touse the target device 103 as an external storage device. At 1004, thevalidation server 102 scan the first binary file in the target device103 against the offline version of the binaries-to-vulnerabilitiesmapping database 105 (the offline vulnerability database 110). Thus, thevalidation server 102 reads the target binary data from the first binaryfile of the target device 103 and searches through the target binarydata to find matches between the target binary data and the productbinary data in the offline vulnerability database 110. A match indicatesthat the binary file contains a known vulnerability, as determined at1005. In this case, the validation server 102 logs (at 1006) the binaryfile name, the file path, and the vulnerability information. Thus, thevalidation server 102 reads and stores the relevant data from the targetbinary data and the offline vulnerability database 110. If there was nomatch (at 1005) or after logging the data (at 1006), and if thevalidation server 102 has not reached the last binary file (asdetermined at 1007), then the validation server 102 selects (at 1008)the next binary file and repeats 1004-1008 until all of the binary fileson the target device 103 have been scanned.

In some embodiments, the validation server 102 provides different levelsof vulnerability assessment for the target device 103, and thevalidation server 102 receives an indication from the systemadministrator 119 of which level of vulnerability assessment that is tobe performed on the target device 103. For example, a firstvulnerability assessment level (referred to herein as a “quick”assessment) scans (at 1004-1008) only those executable binary files thatthe target device 103 actually runs or executes. A second vulnerabilityassessment level (referred to herein as a “deep” assessment) scans (at1004-1008) the executable binary files that the target device 103actually runs or executes along with the library files used by theexecutable binary files. A third vulnerability assessment level(referred to herein as a “full” assessment) scans (at 1004-1008) all ofthe binary files hosted or stored on the target device 103. In someembodiments, the quick assessment and the deep assessment scan thosebinary files that the target device 103 is currently running orexecuting while the validation server 102 is receiving, reading and/orscanning them, which means that the target device 103 is powered on forthese assessments. On the other hand, since the full assessment is notconcerned with which binary files the target device 103 executes, thisassessment can be performed with the target device 103 powered off. Insome embodiments, the target device 103 maintains a stored list of thebinary files that it has executed, has executed recently, or hasexecuted most often. In this case, the validation server 102 downloadsthe stored list, so the quick and deep assessments can be performed withthe target device 103 powered off.

After scanning the last binary file (as determined at 1007), thevalidation server 102 consolidates the scan results into the targetdevice vulnerability report 117 (at 1009). Thus, the validation server102 assembles all of the target binary data and known vulnerability dataand stores it together in the target device vulnerability report 117,e.g., as shown in FIG. 6.

FIG. 11 shows a simplified schematic diagram showing an examplecomputing system(s) 1100 for use as the vulnerability database system101, in accordance with some embodiments. Other embodiments may useother components and combinations of components. For example, thecomputing system 1100 may represent one or more physical computerdevices, such as web servers, rack-mounted computers, network storagedevices, desktop computers, laptop/notebook computers, etc. In someembodiments implemented at least partially in a cloud networkpotentially with data synchronized across multiple geolocations, thecomputing system 1100 may be referred to as a cloud server or clouddatabase. In some embodiments, the functions of the computing system1100 are enabled in a single computer device. In more compleximplementations, some of the functions of the computing system 1100 aredistributed across multiple computer devices, whether within a singleserver farm facility or multiple physical locations. In some embodimentswherein the computing system 1100 represents multiple computer devices,some of the functions of the computing device 1100 are implemented insome of the computer devices, while other functions are implemented inother computer devices. In the illustrated embodiment, the computingsystem 1100 generally includes at least one processor 1101, a mainelectronic memory 1102, a data storage 1103, a user I/O 1104, and anetwork I/O 1105, among other components not shown for simplicity,connected or coupled together by a data communication subsystem 1106.

The processor 1101 represents one or more central processing units onone or more PCBs in one or more housings or enclosures. In someembodiments, the processor 1101 represents multiple microprocessor unitsin multiple computer devices at multiple physical locationsinterconnected by one or more data channels, such as the Internet, aWAN, a LAN, etc. When executing computer-executable instructions forperforming the above described functions of the vulnerability databasesystem 101 in cooperation with the main electronic memory 1102, theprocessor 1101 becomes a special purpose computer for performing thefunctions of the instructions.

The main electronic memory 1102 represents one or more RAM modules onone or more PCBs in one or more housings or enclosures. In someembodiments, the main electronic memory 1102 represents multiple memorymodule units in multiple computer devices at multiple physicallocations. In operation with the processor 1101, the main electronicmemory 1102 stores the computer-executable instructions executed by, anddata processed by, the processor 1101 to perform the above describedfunctions of the vulnerability database system 101.

The data storage 1103 represents or comprises any appropriate number orcombination of internal or external physical mass storage devices, suchas hard drives, optical drives, network-attached storage (NAS) devices,flash drives, etc. In some embodiments, the data storage 1103 representsmultiple mass storage devices in multiple computer devices at multiplephysical locations. The data storage 1103 generally provides persistentstorage 1107 (e.g., a non-transitory computer readable medium) for theprograms (e.g., computer-executable instructions) and data used inoperations described above for the vulnerability database system 101(e.g., operations of the processor 1101 and the main electronic memory1102), such as, but not limited to, the databases 105, 106 and 107described above, a parsing routine 1108 (for parsing data), a searchingroutine 1109 (for searching through data for desired data), a comparingroutine 1110 (for comparing different data to find a match), a readingroutine 1111 (for reading data from the main electronic memory 1102 orpersistent storage 1107), a storing routine 1112 (for storing data inthe main electronic memory 1102 or persistent storage 1107), a networkcommunication application 1113 (for generating/parsing data packets totransmit/receive data to/from the community client device 108, thevarious products and vulnerabilities information sources 109, and thevalidation server 102), and a database management application 1114 (forgenerating, managing and accessing the databases 105, 106 and 107),among others not shown for simplicity. Under control of these programsand using this data, the processor 1101, in cooperation with the mainelectronic memory 1102, performs the above described functions for thevulnerability database system 101.

The user I/O 1104 represents one or more appropriate user interfacedevices, such as keyboards, pointing devices, displays, etc. In someembodiments, the user I/O 1104 represents multiple user interfacedevices for multiple computer devices at multiple physical locations. Asystem administrator, for example, may use these devices to access,setup and control the computing system 1100.

The network I/O 1105 represents any appropriate networking devices, suchas network adapters, etc. for communicating through a network, such asthe Internet, a WAN, a LAN, etc. In some embodiments, the network I/O1105 represents multiple such networking devices for multiple computerdevices at multiple physical locations for communicating throughmultiple data channels. The computing system 1100 communicates with thecommunity client device 108, the various products and vulnerabilitiesinformation sources 109, and the validation server 102 through thenetwork I/O 1105 to send and receive data and requests for data in orderto generate and share the databases 105, 106 and 107.

The data communication subsystem 1106 represents any appropriatecommunication hardware for connecting the other components in a singleunit or in a distributed manner on one or more PCBs, within one or morehousings or enclosures, within one or more rack assemblies, within oneor more physical facilities, etc.

FIG. 12 shows a simplified schematic diagram showing an examplecomputing system(s) 1200 for use as the validation server 102, inaccordance with some embodiments. Other embodiments may use othercomponents and combinations of components. For example, the computingsystem 1200 may represent one or more physical computer devices, such asweb servers, rack-mounted computers, network storage devices, desktopcomputers, laptop/notebook computers, etc. In some embodimentsimplemented at least partially in a cloud network potentially with datasynchronized across multiple geolocations, the computing system 1200 maybe referred to as a cloud server. In some embodiments, the functions ofthe computing system 1200 are enabled in a single computer device. Inmore complex implementations, some of the functions of the computingsystem 1200 are distributed across multiple computer devices, whetherwithin a single server farm facility or multiple physical locations. Insome embodiments wherein the computing system 1200 represents multiplecomputer devices, some of the functions of the computing device 1200 areimplemented in some of the computer devices, while other functions areimplemented in other computer devices. In the illustrated embodiment,the computing system 1200 generally includes at least one processor1201, a main electronic memory 1202, a data storage 1203, a user I/O1204, a network I/O 1205, and a peripheral I/O 1206, among othercomponents not shown for simplicity, connected or coupled together by adata communication subsystem 1207.

The processor 1201 represents one or more central processing units onone or more PCBs in one or more housings or enclosures. In someembodiments, the processor 1201 represents multiple microprocessor unitsin multiple computer devices at multiple physical locationsinterconnected by one or more data channels, such as the Internet, aWAN, a LAN, etc. When executing computer-executable instructions forperforming the above described functions of the validation server 102 incooperation with the main electronic memory 1202, the processor 1201becomes a special purpose computer for performing the functions of theinstructions.

The main electronic memory 1202 represents one or more RAM modules onone or more PCBs in one or more housings or enclosures. In someembodiments, the main electronic memory 1202 represents multiple memorymodule units in multiple computer devices at multiple physicallocations. In operation with the processor 1201, the main electronicmemory 1202 stores the computer-executable instructions executed by, anddata processed by, the processor 1201 to perform the above describedfunctions of the validation server 102.

The data storage 1203 represents or comprises any appropriate number orcombination of internal or external physical mass storage devices, suchas hard drives, optical drives, network-attached storage (NAS) devices,flash drives, etc. In some embodiments, the data storage 1203 representsmultiple mass storage devices in multiple computer devices at multiplephysical locations. The data storage 1203 generally provides persistentstorage 1208 (e.g., a non-transitory computer readable medium) for theprograms (e.g., computer-executable instructions) and data used inoperations described above for the validation server 102 (e.g.,operations of the processor 1201 and the main electronic memory 1202),such as, but not limited to, the target binary data 111, the offlinevulnerability database 110, the target device vulnerability report 117,the access control application 118, a parsing routine 1209 (for parsingdata), a searching routine 1210 (for searching through data for desireddata), a comparing routine 1211 (for comparing different data to find amatch), a reading routine 1212 (for reading data from the mainelectronic memory 1202 or persistent storage 1208), a storing routine1213 (for storing data in the main electronic memory 1202 or persistentstorage 1208), a network communication application 1214 (forgenerating/parsing data packets to transmit/receive data to/from thevulnerability database system 101 and the secure environment 104), and avulnerability assessment application 1215 (for managing the functionsdescribed above for performing the vulnerability assessment to determinethe security vulnerability of the target device 103), among others notshown for simplicity. Under control of these programs and using thisdata, the processor 1201, in cooperation with the main electronic memory1202, performs the above described functions for the validation server102.

The user I/O 1204 represents one or more appropriate user interfacedevices, such as keyboards, pointing devices, displays, etc. In someembodiments, the user I/O 1204 represents multiple user interfacedevices for multiple computer devices at multiple physical locations.The system administrator 119, for example, may use these devices toaccess, setup and control the computing system 1200 and, in someembodiments, to review the target device vulnerability report 117 anddetermine whether to grant access by the target device 103 to the secureenvironment 104.

The network I/O 1205 represents any appropriate networking devices, suchas network adapters, etc. for communicating through a network, such asthe Internet, a WAN, a LAN, etc. In some embodiments, the network I/O1205 represents multiple such networking devices for multiple computerdevices at multiple physical locations for communicating throughmultiple data channels. The computing system 1200 communicates with thevulnerability database system 101 and the secure environment 104 throughthe network I/O 1205 to send and receive data and requests for data(e.g., for the offline vulnerability database 110) in order to performthe vulnerability assessment and generate the target devicevulnerability report 117.

The peripheral I/O 1206 represents any appropriate peripheral interfacedevices, such as serial ports, parallel ports, USB ports, Firewire™ports, SCSI (Small Computer System Interface) ports, PCI (PeripheralComponent Interconnect) ports, etc. In some embodiments, the peripheralI/O 1206 represents multiple such peripheral interface devices formultiple computer devices at multiple physical locations forcommunicating through multiple protocols. The computing system 1200communicates with the target device 103 through the peripheral I/O 1206to send and receive data and requests for data in order to receive thetarget binary data 111 in order to perform the vulnerability assessmentand generate the target device vulnerability report 117.

The data communication subsystem 1207 represents any appropriatecommunication hardware for connecting the other components in a singleunit or in a distributed manner on one or more PCBs, within one or morehousings or enclosures, within one or more rack assemblies, within oneor more physical facilities, etc.

Various features of the computer security vulnerability assessmentsystem 100 represent improvements in various different fields. Forexample, the use of the binary data with the binaries-to-vulnerabilitiesmapping database 105 and the use of the turned-off target device 103 asan external storage device represent improvements in the fields ofsecurity vulnerability assessment, secure domain or network accesscontrol, database generation and maintenance, and computer systemsecurity. In particular, these features enable a more thorough, morerobust and more flexible system, since they operate with binary datamapped to vulnerability data, instead of, or in addition to, operatingwith application file names or other high level meta data. Additionally,these features enable a more secure system, since they operate with aturned-off target device, instead of a turn-on target device in whichongoing operations could affect the vulnerability assessment.Furthermore, these features may also represent improvements inadditional fields, and other features may represent improvements inthese and other fields. The computer security vulnerability assessmentsystem 100 described above also addresses the Internet-centric challengeof coordinating among different entities to manage communications,collect electronic information from disparate data sources across theInternet, and enable enhanced computer security vulnerability assessmentand target device validation at various desired locations. Additionally,the computer security vulnerability assessment system 100 describedabove does not preempt the field of security vulnerability assessment,because many other techniques for security vulnerability assessment arereadily available; whereas the technique described herein is simplydirected to the improvements thus enabled. Furthermore, it is noted thatthe security vulnerability assessment features make sense only in thecontext of a computing system, since significant portions of thefeatures involve complex traversal of a very large quantity of data withhighly complicated interrelations and calculations and functions that aperson would not need or be able to perform. In particular, a humancannot read through the binary data used by the present system.

Although embodiments of the invention have been discussed primarily withrespect to specific embodiments thereof, other variations are possible.Various configurations of the described structures or processes may beused in place of, or in addition to, the configurations presentedherein.

Those skilled in the art will appreciate that the foregoing descriptionis by way of example only, and is not intended to limit the invention.Nothing in the disclosure should indicate that the invention is limitedto systems that are implemented on a single computerized system. Ingeneral, any diagrams presented are only intended to indicate onepossible configuration, and many variations are possible. Those skilledin the art will also appreciate that methods and systems consistent withthe present invention are suitable for use in a wide range ofapplications encompassing NAC systems.

While the specification has been described in detail with respect tospecific embodiments of the invention, it will be appreciated that thoseskilled in the art, upon attaining an understanding of the foregoing,may readily conceive of alterations to, variations of, and equivalentsto these embodiments. These and other modifications and variations tothe present invention may be practiced by those skilled in the art,without departing from the spirit and scope of the present invention,which is more particularly set forth in the appended claims.

What is claimed is:
 1. A method comprising: receiving, by a computerizedsystem, binary data and first product identification data thatcorrespond to each other, the binary data including first binary hashesformed from a hash technique using strings of bits, extracted from atleast a portion of binary-level files of software products; receiving,by the computerized system, vulnerability data and second productidentification data that correspond to each other; determining, by thecomputerized system, correspondence between the binary data and thevulnerability data based on matching the first product identificationdata with the second product identification data; establishing, by thecomputerized system, a communication connection to a target device;receiving, by the computerized system, binary files from the targetdevice; generating, by the computerized system, second binary hashesformed from the same hash technique using strings of bits extracted fromat least a portion of the binary files; scanning, by the computerizedsystem using the binary data, the second binary hashes to find matchesbetween the second binary hashes and the first binary hashes ; anddetermining, by the computerized system, a known security vulnerabilityof the target device based on 1) results of the scanning and 2) thecorrespondence between the binary data and the vulnerability data. 2.The method of claim 1, further comprising: generating, by thecomputerized system, a binaries-to-vulnerabilities database based on thedetermined correspondence between the binary data and the vulnerabilitydata.
 3. The method of claim 2, wherein the binaries-to-vulnerabilitiesdatabase is downloaded and used offline.
 4. The method of claim 1,wherein at least a part of the binary files from the target device areformed from a software component and a hardware component.
 5. The methodof claim 1, further comprising: granting, by the computerized system,access by the target device to a secure environment based on determiningthat the target device has no known security vulnerability; and denying,by the computerized system, access by the target device to the secureenvironment based on determining that the target device has the knownsecurity vulnerability.
 6. The method of claim 1, wherein the knownsecurity vulnerability is a vulnerability of the target device to amalicious event, regardless of whether malicious code is present on thetarget device.
 7. The method of claim 1, wherein: the target device is acomputer that has been turned off; and the establishing of thecommunication connection further comprises loading the target device asan external storage device of the computerized system.
 8. The method ofclaim 1, wherein the determining of the known security vulnerabilityfurther comprises generating a report containing at least a listingof 1) designations of the first binary hashes that were found to matchthe second binary hashes, and 2) designations of the vulnerability datathat correspond to the binary data that includes the first binary hashesthat were found to match the second binary hashes.
 9. The method ofclaim 1, wherein: the receiving of the binary data and the first productidentification data further comprises collecting, by the computerizedsystem, the binary data and the first product identification data from aplurality of client devices; and each client device collects the binarydata and the first product identification data related to softwareproducts that are on that client device and maps the binary data to thecorresponding first product identification data for each of the softwareproducts.
 10. The method of claim 1, further comprising: receiving, bythe computerized system, an indication of one of a first, second orthird level of vulnerability assessment to be performed on the targetdevice; wherein: in the first level of vulnerability assessment, thebinary files are executable binary files; in the second level ofvulnerability assessment, the binary files are the executable binaryfiles and library files used by the executable binary files; and in thethird level of vulnerability assessment, the binary files are all binaryfiles stored on the target device.
 11. A non-transitory machine-readablemedium storing instructions executable by a server device for enablingthe server device to conduct a computer-implemented method, the methodcomprising: receiving, by the server device, binary data and firstproduct identification data that correspond to each other, the binarydata including first binary hashes formed from a hash technique usingstrings of bits, extracted from at least a portion of binary-level filesof software products; receiving, by the server device, vulnerabilitydata and second product identification data that correspond to eachother; determining, by the server device, correspondence between thebinary data and the vulnerability data based on matching the firstproduct identification data with the second product identification data;establishing, by the server device, a communication connection to atarget device; receiving, by the server device, binary files from thetarget device; generating, by the server device, second binary hashesformed from the same hash technique using strings of bits extracted fromat least a portion of the binary files; scanning, by the server deviceusing the binary data, the second binary hashes to find matches betweenthe second binary hashes and the first binary hashes; and determining,by the server device, a known security vulnerability of the targetdevice based on 1) results of the scanning and 2) the correspondencebetween the binary data and the vulnerability data.
 12. Thenon-transitory machine-readable medium of claim 11, further comprising:generating, by the server device, a binaries-to-vulnerabilities databasebased on the determined correspondence between the binary data and thevulnerability data.
 13. The non-transitory machine-readable medium ofclaim 12, wherein the binaries-to-vulnerabilities database is downloadedand used offline.
 14. The non-transitory machine-readable medium ofclaim 11, wherein at least a part of the binary files from the targetdevice are formed from a software component and a hardware component.15. The non-transitory machine-readable medium of claim 11, furthercomprising: granting, by the server device, access by the target deviceto a secure environment based on determining that the target device hasno known security vulnerability; and denying, by the server device,access by the target device to the secure environment based ondetermining that the target device has the known security vulnerability.16. The non-transitory machine-readable medium of claim 11, wherein theknown security vulnerability is a vulnerability of the target device toa malicious event, regardless of whether malicious code is present onthe target device.
 17. The non-transitory machine-readable medium ofclaim 11, wherein: the target device is a computer that has been turnedoff; and the establishing of the communication connection furthercomprises loading the target device as an external storage device of theserver device.
 18. The non-transitory machine-readable medium of claim11, wherein the determining of the known security vulnerability furthercomprises generating a report containing at least a listing of 1)designations of the first binary hashes that were found to match thesecond binary hashes, and 2) designations of the vulnerability data thatcorrespond to the binary data that includes the first binary hashes thatwere found to match the second binary hashes.
 19. The non-transitorymachine-readable medium of claim 11, wherein: the receiving of thebinary data and the first product identification data further comprisescollecting, by the server device, the binary data and the first productidentification data from a plurality of client devices; and each clientdevice collects the binary data and the first product identificationdata related to software products that are on that client device andmaps the binary data to the corresponding first product identificationdata for each of the software products.
 20. The non-transitorymachine-readable medium of claim 11, further comprising: receiving, bythe server device, an indication of one of a first, second or thirdlevel of vulnerability assessment to be performed on the target device;wherein: in the first level of vulnerability assessment, the targetbinary files are executable binary files; in the second level ofvulnerability assessment, the target binary files are the executablebinary files and library files used by the executable binary files; andin the third level of vulnerability assessment, the target binary filesare all binary files stored on the target device.